The future of login is here—but getting there is the hard part.

Passwords have been on borrowed time for years. They’re vulnerable to phishing. They create friction for users. And they cost banks time and money in resets, lockouts, and fraud remediation. Passkeys—based on public-private key cryptography—are a modern alternative designed to solve these problems at the root.

From a technology standpoint, passkeys are ready. But for U.S. banks, the challenge isn’t the cryptography. It’s everything else: compliance, integration, user education, cross-platform syncing, and system design.

How Passkeys Work (And Why They Matter)

At the core, passkeys are simple. When a user creates a passkey, their device generates a public and private key pair. The private key is stored securely on the user’s device or in an encrypted cloud vault. The public key is stored by the bank.

When the user tries to log in, the server issues a cryptographic challenge. The user’s device signs it with the private key—usually after a biometric check like Face ID or a fingerprint scan. The server verifies the signature using the public key. If everything checks out, access is granted.

No passwords are exchanged. No secrets are shared. No way to phish the credential. Passkeys remove the need for something the user knows and replace it with something they have (their device) and something they are (their biometrics).

The Regulatory Shift Is Real

Several regulatory bodies in the U.S. have taken clear steps to push financial institutions toward phishing-resistant authentication. Passkeys check that box.

• FTC’s Safeguards Rule (Gramm-Leach-Bliley Act): Updated in 2022, it mandates multi-factor authentication for financial institutions under FTC jurisdiction. It doesn’t name passkeys directly, but it emphasizes phishing-resistant factors. Passkeys qualify.

• New York Department of Financial Services (NYDFS): MFA has been required for covered financial institutions since 2017. Passkeys are increasingly seen as a compliant solution for meeting those expectations.

• CISA (Cybersecurity and Infrastructure Security Agency): In its guidance, CISA recommends that financial services providers adopt phishing-resistant MFA. It specifically highlights FIDO2/WebAuthn standards—what passkeys are built on.

In short, regulators want banks to move away from passwords and SMS OTPs. Passkeys are one of the few options that actually meet the new standard.

Industry Standards Are in Place

The FIDO Alliance is behind the push for passkeys. They developed the WebAuthn and CTAP protocols that form the basis of FIDO2—used in everything from hardware security keys to platform authenticators like iCloud Keychain and Google Password Manager.

The standards are stable. The ecosystem is maturing. And the list of major banks and card networks adopting passkeys is growing:

• JPMorgan Chase, Bank of America, Wells Fargo, American Express: All exploring or rolling out FIDO-based authentication.

• Visa’s Payment Passkey: Designed to reduce friction and fraud in online transactions. Visa wants to eliminate the need for passwords and codes at checkout.

• U.S. Bank, Armstrong Bank, First Financial Bank: Among the first wave of U.S. banks publicly deploying passkey login options for consumer banking portals.

Integration Challenges for Banks

Replacing passwords with passkeys isn’t a surface-level change. It affects nearly every layer of the banking stack.

Most banks rely on legacy identity and access management (IAM) systems built around password-based authentication. Retrofitting these systems to support FIDO2 and WebAuthn requires:

• New backend flows for device registration and challenge/response

• Frontend updates across mobile and web

• Integration with existing multi-factor systems and fraud engines

• Customer support retraining and tooling updates

It’s not just about adding a new login option—it’s about redesigning the bank’s entire identity infrastructure.

Banks also have to deal with fragmented customer journeys. A single user might move between web, native apps, customer service channels, and call centers. Passkeys need to work consistently across all of them. That takes careful system design.

Compliance Is Still a Gray Area

While passkeys generally align well with PSD2 and SCA in Europe—and with U.S. regulatory expectations—there’s a catch. Not all passkeys are equal under the law.

• Device-bound passkeys (stored on a physical device, like a YubiKey or TPM module) clearly meet the possession requirement for SCA and other regulations.

• Synced passkeys (like those stored in iCloud Keychain or Google’s password manager) introduce ambiguity. They’re convenient but can be seen as “cloud possession,” which some regulators argue weakens the security model.

This distinction matters for high-value transactions, cross-border payments, and fraud risk scoring. Banks need to tread carefully, especially in overlapping regulatory environments.

Adoption Depends on User Behavior

Even if the tech is solid and the compliance risks are managed, passkeys won’t succeed without user adoption. And that’s not guaranteed.

People know passwords. They’re used to OTPs. They’ve been trained by decades of login forms and "forgot password" flows. Introducing a completely new model—no passwords, no codes, just a biometric and a device—requires education and reassurance.

Banks will need to invest in:

• Clear onboarding and opt-in flows

• Help center content and tutorials

• Fallback options for users who don’t trust (or can’t use) passkeys yet

Expect hybrid models for the foreseeable future: passkeys as the default, but passwords or OTPs as a backup.

Recovery Is the Underrated Risk

A lost device shouldn’t mean a lost account. That’s obvious. But in the world of passkeys, account recovery is one of the hardest problems.

With traditional credentials, you reset a password via email or SMS. With passkeys, the recovery flow must be phishing-resistant, intuitive, and secure against fraud. Options include:

• Synced credential recovery through cloud platforms (Apple, Google)

• Secondary devices registered with the account

• Step-up verification using government ID or biometrics

Banks need to design these flows carefully—and test them thoroughly. Any weakness here becomes a new fraud vector.

Cross-Platform Gaps Still Exist

In theory, passkeys are interoperable. In practice, users switching from iPhone to Android (or vice versa) can still run into issues.

Cloud-synced passkeys depend on platform ecosystems. Cross-platform syncing isn’t seamless yet, and the user experience can be rough. Banks will need to prepare for questions like:

• “Why did my passkey work on Safari but not on Chrome?”

• “What happens if I switch to a new phone?”

• “Can I log in from a shared or public device?”

Supporting all of this adds complexity, especially for banks serving diverse, multi-device customers.

The Upside Is Big

Even with all the challenges, the benefits are hard to ignore:

• Phishing-resistant logins close off a huge fraud vector.

• No passwords means no resets, fewer lockouts, and lower support costs.

• Fast, native login experiences increase conversion and reduce abandonment.

• Regulatory alignment helps banks stay ahead of future compliance audits.

Passkeys also future-proof a bank’s identity stack as the industry moves toward decentralized identity, embedded finance, and zero-trust architectures.

2025 Is the Turning Point

Momentum is building. Standards are stable. Tech platforms are aligned. U.S. regulators are signaling higher expectations. And more banks are launching passkey pilots and production rollouts.

But this won’t be a flip-the-switch change. It’ll be gradual, iterative, and full of edge cases. Banks that approach it holistically—identity architecture, compliance, UX, recovery—will have a real advantage.

Passkeys are ready. Now it’s up to the banks to catch up.

The insights in this post are based on industry research, conversations with banks and fraud prevention experts, as well as our own experience. The content is for general information only and not intended as legal, financial, or technical advice. While Enlace strives for accuracy, the information may not reflect the latest developments.